Back to cryptphi's contests

Backd Tokenomics contest - cryptphi's results

Maximize the power of your assets and start earning yield

General Information

Platform: Code4rena

Start Date: 27/05/2022

Pot Size: $75,000 USDC

Total HM: 20

Participants: 58

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 15

Id: 131

League: ETH

Backd

Findings Distribution

Researcher Performance

Rank: 43/58

Findings: 1

Award: $159.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBackd

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven

Awards

159.0051 USDC - $159.01

Labels

bug
QA (Quality Assurance)
resolved
sponsor confirmed

External Links

Link to GitHub issue
  1. Reentrancy issue in a function The functions below have an external call which can allow user to reenter into the function. Although reentering the function would cause harm to the caller than good.

**Occurrences in: *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L130-L134 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L108-L111

  1. Missing events and emit Certain events and emits are necessary for core changes and admin/critical activities to allow monitoring on third party tools. The following below are missing;

**Occurrences in: *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L68 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L74 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L99

3.. Missing zero address check The following are missing checks for existence of zero address which may lead to transfers to zero address or causing some functions to no longer be accessible.

**Occurrences in: *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L124 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L56 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L103 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/BkdLocker.sol#L70 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L31 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L31 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L111 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L139 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L359 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L126 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L144 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L65

  1. Use of Deprecated safeApprove() function The OpenZeppelin ERC20 SafeApprove() function has been deprecated, replace safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance() instead.

**Occurrences in: *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L52 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L64 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L118 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/zaps/PoolMigrationZap.sol#L27

  1. Max approvals are risky Maximum approvals are widely considered as unsafe if the approved contract becomes compromised/malicious.

**Occurrences in: *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L64 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L118

6.. Costly external calls in a loop *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/Controller.sol#L127 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L44 *https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L44 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L70 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L99 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L102

  1. Use of unsafe approve() https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L25

#0 - GalloDaSballo

2022-06-20T15:47:19Z

Reentrancy issue in a function

Would rephrase to lack of CEI pattern, as no reEntrancy was demonstrated

Missing events and emit

Informational

3.. Missing zero address check

Valid

Use of Deprecated safeApprove() function

Technically valid but safeApprove is being used correctly throughout the codebase

Max approvals are risky

In lack of alternative, the one line comment is not useful

6.. Costly external calls in a loop

In lack of a suggested refactoring, the one line comment is not useful

Use of unsafe approve()

Agree that this needs to be changed, and believe Low Severity to be appropriate because this is happening in a constructor

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter